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Executive  Summary 


Title:  Operational  Art  in  Cyber  Defense 

Author:  Major  Osear  Alanis,  United  States  Marine  Corps 

Thesis:  Since  cyberspace  is  a  warfighting  domain,  a  Joint  Task  Force  (JTF)  Commander  can  use 
traditional  warfighting  principles  to  develop  a  cyber  defense  plan  as  part  of  an  integrated  joint 
campaign  once  he  has  clearly  established  command  and  control  structures. 

Discussion:  Upon  the  establishment  of  a  JTF,  a  Commander  assumes  significant  risk  in  the 
cyber  domain.  Limited  understanding  of  the  characteristics  within  the  cyber  domain  and  lack  of 
clearly  defined  command  and  control  relationships  places  the  Joint  Task  Force  at  excessive  risk. 
Additionally,  the  Department  of  Defense  relies  on  the  civilian  Internet  for  many  supporting 
functions.  Connections  to  the  Internet  provide  adversaries  a  direct  avenue  of  approach  to  target 
and  disrupt  Joint  Operations.  A  Commander  must  benefit  from  proper  command  and  control 
structures  and  improved  understanding  of  the  cyber  defense  situation  during  Phase  0  to  lay  the 
proper  foundation  prior  to  conducting  an  operation.  The  Department  of  Defense  remains 
vulnerable  unless  it  can  change  how  the  military  services  are  organized,  trained  and  equipped  to 
provide  a  JTF  Commander  the  means  to  defend  the  his  networks  better. 

Conclusion:  A  Joint  Task  Force  Commander  can  use  operational  art  to  defend  the  cyber  domain 
in  support  of  an  integrated  campaign  plan  as  he  would  in  any  of  the  other  warfighting  domains. 
However,  there  needs  to  be  a  greater  understanding  within  the  operations  community  of  the 
domain’s  characteristics  to  improve  the  combat  effectiveness  of  a  JTF.  The  Department  of 
Defense  will  need  change  how  the  military  services  organize,  train  and  equip  to  support  a  theater 
campaign  by  providing  a  Joint  Task  Force  Commander  the  tools  he  needs  to  prevent  the  cyber 
domain  from  becoming  a  critical  vulnerability. 
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Preface 


I  had  the  privilege  of  serving  as  a  Plans  and  Liaison  Officer  and  the  Chief  of  Computer 
Network  Defense  for  the  Defense  Information  Systems  Agency  (DISA)  in  Germany  (DISA- 
Europe).  While  there,  I  learned  a  great  deal  about  defending  the  Cyber  Domain.  It  was  clear 
that  many  questions  remained  unanswered  regarding  command  and  control  relationships  and 
providing  a  Joint  Force  Commander  the  support  and  information  he  needs  to  achieve  his 
objectives.  As  the  opportunity  presented  itself  at  Marine  Corps  University,  I  could  dedicate  time 
to  read  and  think  about  what  others  had  written  about  cyberwar,  cyber  warfare,  war  in  cyber  and 
simply  war.  All  of  the  terms  have  different  meanings  to  the  authors  and  readers  alike.  The  more 
I  researched  the  project,  the  clearer  it  became  to  me  that  warfare  in  the  cyber  domain  is  only  a 
part  of  war. 

As  a  Certified  Information  Systems  Security  Professional,  a  Certified  Information 
Security  Manager  and  most  importantly  a  US  Marine,  I  felt  compelled  to  try  to  make  sense  of 
how  an  operational  planner  and  a  cyber  defense  planner  could  come  to  common  ground  in 
providing  an  ideal  plan  to  support  a  common  Commander.  Both  camps  have  come  a  long  way  to 
understand  each  other.  But  much  more  needs  to  be  done.  While  there  is  a  great  deal  of  interest 
in  the  subject,  a  definitive  solution  to  how  the  Department  of  Defense  develops  its  cyber  defense 
concepts  and  underpinning  doctrine  lack  substance  to  adequately  protect  the  networks  that 
support  operations.  While  there  is  nothing  mystical  about  the  domain,  there  is  a  danger  in  having 
only  a  cursory  understanding  of  what  is  possible  which  may  make  matters  worse  before  they  get 
better. 

I  want  to  express  my  gratitude  to  Dr.  Richard  DiNardo  for  taking  the  time  to  guide  me 
during  this  work.  His  perspective  in  trying  to  develop  what  Operational  Art  in  the  Cyber  domain 
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might  look  like  in  the  future  was  invaluable.  I  would  also  like  to  thank  Dr.  Frank  Mario,  Dr. 
Matthew  Flynn,  Paul  K.  Van  Riper,  LtGen,  USMC  (Ret.),  LtCol  Mike  Phillips,  USMC  and 
LtCol  Paul  Melehior,  USMC  for  exposing  me  to  different  perspectives  when  researching  the 
subject.  The  staff  of  the  Gray  Research  Center  in  Quantico  is  truly  a  world-class  resource  that  I 
was  extremely  fortunate  to  benefit  from.  Most  importantly,  I  would  like  to  thank  my  wife  and 
children  for  allowing  me  the  time  to  work  through  this  project  and  satisfy  a  personal  curiosity. 

I  used  the  masculine  when  referring  to  the  Commander  and  the  adversary  throughout  this 
paper  for  brevity. 


Alanis  1 


Looking  for  a  Functional  Cyber  Component  Command? 

A  Geographic  Combatant  Commander  has  many  options  when  considering  how  to 
organize  for  an  operation  within  his  area  of  responsibility.  He  can  establish  a  Joint  Task  Force 
(JTF)  with  functional  component  commands  including  a  land  component  command,  an  air 
component  command,  and  a  maritime  component  command  to  meet  the  requirements  of  an 
operation.  Like  the  other  domains,  the  cyber  domain  presents  a  Commander  with  both 
opportunities  and  pitfalls.  Upon  the  establishment  of  a  JTF,  the  Commander  assumes  significant 
risk  in  the  cyber  domain.  Networks  are  designed  to  share  information  and  are  inherently 
unsecure.  The  JTF  Commander  may  want  to  prepare  his  cyber  defense  posture  to  address  the 
threats  awaiting  him  as  the  operation  unfolds.  Limited  understanding  of  the  characteristics  of  the 
domain  and  a  lack  of  clearly  defined  command  and  control  relationships  within  the  domain 
places  the  JTF  at  excessive  risk.  Since  cyberspace  is  a  warfighting  domain,  a  JTF  Commander 
can  use  traditional  warfighting  principles  to  develop  a  cyber  defense  plan  as  part  of  an  integrated 
joint  campaign  once  he  has  clearly  established  command  and  control  structures. 

What  would  be  the  best  way  to  organize  a  JTF  to  meet  the  challenges  of  the  cyber 
domain?  Normally,  a  functional  component  command  is  the  service  component  command  with 
the  preponderance  of  forces  in  the  theater.  But,  where  should  a  Commander  look  to  establish  a 
Functional  Cyber  Component  Command?  Determining  how  to  assign  a  Functional  Cyber 
Component  Command  is  not  as  trivial  as  it  sounds.  How  would  a  JTF  Commander  conclude 
which  service  component  has  the  preponderance  of  cyber  forces?  A  JTF  Commander  cannot 
simply  count  how  many  firewalls  and  computer  security  devices  each  of  the  service  components 
brings  to  the  fight  to  determine  which  component  should  assume  the  responsibility.  A  JTF 
Commander  should  not  bear  the  burden  of  trying  to  figure  this  out  on  his  own.  The  Department 
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of  Defense  should  establish  a  framework  where  a  JTF  Commander  can  quickly  benefit  from  a 
Functional  Cyber  Component  Command  prior  to  a  crisis  occurring. 

Unfortunately,  cyber  defense  organizations  within  the  service  components  are  not 
organized  as  traditional  military  formations.  All  of  the  military  departments  and  supporting 
agencies  have  varying  cyber  formations  and  capabilities  with  equally  unique  command  and 
control  relationships  for  their  respective  commands.  Each  of  the  service  cyber  organizations 
within  a  JTF  is  under  the  technical  control  and  often  the  operational  control  of  its  respective 
service  headquarters  or  service  cyber  component  headquarters. 

In  the  case  of  the  Marine  Corps,  the  cyber  defense  organizations  embedded  within  a 
Marine  Air  Ground  Task  Force  (MAGTF)  would  have  established,  in  some  capacity,  a  command 
and  control  relationship  with  the  cyber  defense  organizations  of  the  JTF  Commander,  the  theater 
Marine  Forces  Commander,  and  Marine  Forces  Cyber  Commander.  It  is  debatable  which 
commander  has  the  ultimate  authority  and  responsibility  to  direct  changes  to  the  defensive 
posture  of  the  MAGTF  networks  supporting  the  JTF.  Each  of  the  service  components  within  the 
JTF  has  similar  issues. 

Along  with  a  Geographic  Combatant  Commander,  a  newly  designated  JTF  Commander 
has  additional  challenges  he  must  understand  at  the  beginning  of  the  operation.  All  of  the 
services  employ  their  computer  networks  and  support  organizations  just  different  enough  to 
make  coordination  and  sharing  of  a  cyber  common  operating  picture  extremely  difficult  at  best. 

A  Joint  Force  Commander  currently  has  the  ability  to  visualize  where  his  forces  are  arrayed  in  a 
Joint  Operating  Area.  He  lacks  this  visualization  in  the  cyber  domain.  At  best,  he  has  a  static 
display  with  stale  information  depicting  which  systems  are  operational  and  where  intrusion 
incidents  occurred.  He  lacks  an  accurate  and  dynamic  cyber  common  operating  picture,  which 
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can  overlay  with  his  common  operating  picture  for  the  other  warfighting  domains.  Simply  put, 
he  does  not  know  if  unit  X  is  at  risk  due  to  a  vulnerability  in  eyberspaee.  He  also  laeks  the 
ability  to  effectively  command  and  control  the  networks  within  his  Joint  Force.  If  one  were  to 
follow  the  elder  Helmuth  von  Moltke’s  concept  of  campaigning,  the  Commander  already  has 
failed  before  the  operation  begins  because  he  has  not  established  the  proper  conditions  before 
commeneing  the  eampaign.  ^ 

One  of  the  conditions  the  JTF  Commander  has  failed  to  establish  up  front  is  that  he  is 
unable  to  ascertain  the  baseline  security  posture  across  the  entire  force.  Unfortunately,  he  cannot 
establish  what  normal  network  activity  looks  like  throughout  the  JTF.  All  of  the  eomputing 
deviees  and  software  applications  in  his  command  are  of  varying  types,  models  and  series  with 
all  of  the  incumbent  security  vulnerabilities.  Cyber  defense  planners  within  the  JTF’s 
operations  division  have  significant  challenges  to  overeome  prior  to  developing  a  eoherent  plan 
in  support  of  the  JFC’s  eampaign  objectives. 

Five  Disadvantages 

Before  discussing  how  the  joint  warfighting  principles  may  be  applied  to  the  cyber 
domain,  it  is  important  to  understand  what  a  JTF  Commander  and  his  planners  face  as  they  begin 
designing  a  plan.  In  developing  their  portion  of  a  eampaign  plan,  cyber  defense  planners  faee  no 
less  than  five  inherent  disadvantages.  They  include,  but  are  not  limited  to,  the  advantage  in 
eyberspaee  residing  with  the  offense,  the  difficulty  in  sharing  cyber  seeurity  information  between 
security  agencies  within  the  JTF,  the  presence  of  multiple  adversaries  in  the  domain,  a  relianee 
on  the  Internet  for  eritieal  support  functions,  and  a  lack  of  understanding  of  the  eyber  domain’s 


characteristics. 
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In  the  cyber  domain,  the  advantage  resides  in  the  offense.  An  attacker  can  bide  his  time, 
shape  the  environment,  and  strike  at  the  time  and  place  of  his  choosing.  In  contrast,  cyber 
defenders  must  be  vigilant  in  a  360-degree  defensive  posture.  A  similar  dynamic  exists  between 
insurgent  and  counterinsurgent.  Counterinsurgency  theorist  David  Galula  argues  that  an 
insurgency  is  relatively  cheap  compared  with  the  costs  of  counterinsurgency."^  In  an  insurgency, 
a  relative  advantage  resides  with  the  insurgent  in  that  the  insurgent  can  hide  within  the  general 
population  and  can  wait  for  the  best  time  to  strike.  Galula’s  description  is  applicable  to  the  cyber 
domain.  Comparatively  speaking,  an  attacker’s  tool  set  is  relatively  cheaper  than  a  defender’s 
aggregate  cyber  defense  requirements. 

Similar  to  an  insurgent’s  activity,  a  cyber  attacker’s  activity  can  hide  within  legitimate 
network  activity.  In  the  cyber  domain,  an  attacker  can  be  selective  in  evaluating  which  attack 
methodology  would  be  the  most  effective.  The  easiest  way  for  an  adversary  to  gain  access  to  a 
DoD  network  is  exploiting  human  nature.  In  a  possible  scenario,  an  adversary  attempts  to 
deliver  malware  via  what  is  known  as  a  phishing  email.  The  adversary  successfully  targets  and 
delivers  malware  to  a  key  member  of  the  JTF  staff.  Believing  an  attachment  is  legitimate,  the 
staff  member  clicks  on  the  malware  beginning  the  process  whereby  the  adversary  gains  access  to 
the  DOD  network  via  the  victim’s  computer  and  is  able  to  navigate  the  network.  This  malware 
enables  the  adversary  to  access  files  remotely  and  send  them  outside  of  the  DoD  network.  The 
adversary  may  also  be  able  to  access  key  files  and  modify  them  in  a  way  where  the  modifications 
would  not  appear  out  of  the  ordinary,  but  nonetheless  makes  the  friendly  force  take  the 
adversary’s  desired  actions.  A  worst-case  scenario  is  when  the  adversary  is  able  to  escalate  his 
network  privileges  to  that  of  a  network  administrator  and  can  create  new  accounts  and  implement 
network  security  modifications  at  will.  This  worst-case  scenario  is  the  functional  equivalent  to 
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having  an  enemy  agent  operating  within  the  eommand  with  unfettered  aeeess  to  key  personnel 
and  doeuments. 

A  JTF  Commander  can  assume  similar  events  as  the  scenario  described  above  are 
occurring  within  each  of  the  JTF  service  components.  It  is  difficult  to  establish  a  trend  of 
whether  the  individual  incidents  at  each  of  the  service  components  are  isolated  events  or  a 
coordinated  series  of  initial  shaping  actions  of  a  larger  attack  in  the  cyber  or  other  warfighting 
domains.  This  limitation  is  due  largely  to  the  previously  mentioned  lack  of  cyber  common 
operating  picture  and  information  sharing  shortfalls  between  cyber  defense  organizations.  It  is 
likely  that  the  JTF  cyber  defense  organizations  have  not  previously  worked  together  and  have  not 
established  useful  information  sharing  processes  before  the  operation  began. 

Cyber  defense  planners  also  face  a  multitude  of  adversaries  within  the  domain.  While  a 
JTF  Commander  will  likely  have  a  designated  adversary  for  his  operation,  additional  adversaries 
can  strike  the  JTF  as  well.  For  example,  there  may  be  cyber  activists,  cyber  patriots  or  other 
opportunists  who  may  rally  to  the  aid  of  our  enemy  via  the  cyber  domain.  The  cyber  domain 
expands  a  JTF  commander’s  area  of  interest  significantly. 

A  JTF  Commander’s  area  of  influence  is  also  larger  than  normal  because  the  Department 
of  Defense  relies  on  Internet  connectivity  with  commercial  providers  to  support  logistics 
requirements.  The  DoD  must  maintain  open  communications  channels  to  keep  the  joint  force 
supplied.  Additionally,  the  United  States’  reliance  on  information  technology  provides  potential 
adversaries  an  unprecedented  level  of  access  to  the  joint  force  service  members.^  An  adversary 
can  use  the  indirect  approach  to  reduce  a  JTF’s  combat  effectiveness. 

For  example,  the  DoD  pays  most  of  its  service  members  via  direct  deposit  disbursing 
funds  directly  into  members’  bank  accounts.  The  direct  deposit  system  provides  adversaries 
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opportunities  to  influence  a  JTF’s  effectiveness.  A  review  of  recent  newspaper  reports  of 
computer  security  breaches  at  major  financial  institutions  gives  one  an  appreciation  of  the 
potential  impact  an  adversary  could  have  on  the  military’s  morale  and  combat  effectiveness  via 
cyber  attack.^  One  need  only  imagine  the  effect  of  having  widespread  pay  outages  to  military 
members  while  they  are  deployed.  Military  members  could  be  distracted  by  news  from  spouses 
that  salary  payments  have  not  properly  been  distributed.^  Media  reports  from  home  station  can 
affect  troop  morale.  History  can  provide  examples  of  the  effect  media  reports  from  the  home 

o 

front  can  have  on  front  line  troops. 

The  fifth  of  the  cyber  defense  planner’s  challenges  is  the  JTF  members’  fundamental  lack 
of  understanding  of  the  characteristics  within  the  cyber  domain.  In  the  past,  military  units  would 
display  posters  depicting  the  Soviet  order  of  battle  and  plates  of  information  on  the  prevailing 
Soviet  weapons  systems.  There  was  an  implicit  understanding  that  everyone  was  responsible  for 
learning  the  information  displayed.  The  implication  was  everyone  could  develop  collective 
technical  and  tactical  proficiency  by  study  and  familiarization.  This  shared  proficiency  is  not  the 
case  today  in  the  cyber  domain.  While  one  may  hear  of  cyber  attacks  in  the  news  and  have  to 
complete  annual  training,  the  repetitive  discussion  and  familiarization  of  the  adversary’s  order  of 
battle  does  not  occur.  It  may  be  the  joint  force  does  not  really  understand  what  it  is  collectively 
up  against  on  a  daily  basis.  This  gap  in  technical  understanding  and  the  other  four  disadvantages 
will  make  operational  art  in  the  cyber  domain  more  difficult. 

Understanding  the  environment 

Just  as  in  the  other  warfighting  domains,  an  operational  planner  must  understand  the 
environment.  Actions  taken  within  the  cyber  domain  can  have  disproportionate  outcomes.  The 
disproportionality  is  the  result  of  adversary  having  a  high-speed  avenue  of  approach  to  JTF 
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information.  Unlike  the  other  domains,  adversaries  have  weapons  parity  with  the  United  States 
in  cyberspaee.  An  adversary  need  not  spend  signifieant  resourees  to  develop  strategic  weapons 
to  inflict  damage.  He  requires  only  a  laptop  and  an  Internet  connection  to  begin  his  campaign.^ 
If  a  JTF  is  unable  to  trust  the  information  that  is  available  within  its  networks,  it  is  unable  to 
maximize  the  JTF’s  combat  power. 

An  operational  planner  will  be  challenged  to  make  the  linkage  between  strategic 
objectives  and  tactical  actions  within  the  cyber  domain  without  a  solid  foundation  of  the 
technical  capabilities  and  limitations  of  cyber  operations.  The  gap  is  artificially  induced  by  a 
general  unwillingness  to  discuss  detailed  cyber  capabilities  openly.  Similar  to  nascent  nuclear 
weapons  doctrine,  an  element  of  ambiguity  is  somewhat  necessary.  As  long  as  the  DoD 
continues  to  limit  the  dialogue  to  closed-door  sessions,  it  cannot  leverage  the  collective 
brainpower  of  the  individual  service  members  to  develop  well-reasoned  solutions.'^ 

A  JTF  Commander  may  be  tasked  to  support  the  host  nation  defend  its  networks  during 
an  operation.  This  task  would  be  similar  to  supporting  a  foreign  internal  defense  mission. 
However,  the  Commander  must  understand  that  he  has  limited  resources  to  achieve  this 
objective.  He  cannot  project  combat  power  to  defend  a  host  nation  network.  The  Commander 
can  only  facilitate  the  improvement  of  network  defense  activities  by  suggesting  and  coordinating 
industry  best  practices  for  the  host  nation.^'  Similar  to  intelligence  sharing,  information  sharing 
for  the  cyber  domain  with  partner  nations  is  problematic. 

The  question  of  whether  network  intrusions  constitute  an  attack,  espionage  or  criminal 
activity  needs  to  be  codified  to  help  establish  what  the  Commander  can  do  in  response  to  the 
activity.  In  short,  it  is  difficult  to  establish  clear  rules  of  engagement  in  the  cyber  domain.  There 
is  little  agreement  on  what  constitutes  acceptable  behavior  in  the  domain.  Part  of  the  challenge 
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of  what  constitutes  a  provocative  act  is  how  policy  makers  and  military  leaders  view  attacks 
against  networks.  Most  cyber  intrusion  activity  can  be  classified  as  intelligence  collection 
efforts  or  electronic  warfare.  One  is  both  a  warfighting  function  and  national  security  activity; 
the  other  is  an  act  of  war.  The  results  of  cyber  activity  would  determine  whether  or  not  the 
activity  was  an  act  of  war  or  simply  an  activity  supporting  war.  For  example,  the  production  of 
food  and  clothing  is  not  by  definition  warfare.  However,  the  distribution  of  food  and  clothing  to 
front  line  troops  is  a  key  warfighting  function  and  to  deny  the  enemy  the  same  would  constitute 
warfare.  The  question  of  whether  distributed  denials  of  service  (DDOS)  are  an  act  of  war  or  are 
they  to  be  considered  criminal  activity  has  not  been  resolved.  Like  terrorist  activity,  actions  can 
be  viewed  through  both  a  criminal  lens  while  other  times  the  activity  can  be  viewed  through  a 
warfighting  lens.  Both  views  have  different  decision  chains  that  are  not  always  mutually 
supporting.  If  leaders  view  the  events  as  criminal  activities,  then  rules  of  evidence  and 
jurisprudence  would  normally  apply.  If  decision  makers  view  the  activity  as  warfare,  a  JTF  could 
take  aggressive  defensive  countermeasures  in  response  to  the  activity. 

Similar  to  conflicting  views  of  what  constitutes  acceptable  behavior  in  the  domain,  there 
remains  disagreement  of  the  role  of  the  domain  in  war.  Clausewitz  argued  that  war  is  a 
continuation  of  politics  by  other  means  and  that  without  violence  or  the  threat  of  violence,  there 
is  no  war.  A  student  of  war  and  warfare  could  have  difficulty  understanding  the  role  of 
operations  in  cyberspace  using  Clausewitz’s  model.  His  theory  remains  relevant.  Cyberspace  has 
a  role  in  war  in  that  cyberspace  is  simply  a  means  to  achieve  both  political  and  military 
objectives.  Similar  to  the  physical  domains,  offensive  and  defensive  operations  have  a  role  in 
war.  In  the  cyber  domain,  defensive  cyber  operations  can  only  be  a  combat  support  effort. 

Cyber  defense  activities  can  affect  the  outcome  of  an  operation  in  a  similar  manner  as 
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operational  security  and  counterintelligence  efforts.  The  means  cyber  planners  and  operators 
employ  to  achieve  their  objectives  are  part  of  the  art  and  science  in  war.  Use  of  the  cyber 
domain  is  not  much  different  than  use  of  any  of  the  other  warfighting  domains  to  achieve  an 
objective.  Each  domain  has  its  own  characteristics,  but  ultimately  the  actions  in  each  domain 
must  support  overall  operational  objectives. 

A  JTF  Commander  is  nearly  blind  to  any  cyber  activity  outside  of  his  own  networks.  His 
visibility  to  see  beyond  his  network  activity  is  limited  because  the  outside  networks  are  owned 
and  administered  by  private  organizations.  He  can  try  to  clear  the  fog  with  surveillance  tools. 
However,  he  is  limited  to  what  his  friendly  intelligence  efforts  are  able  to  provide.  It  is  difficult 
to  know  if  a  cyber  actor  is  massing  a  botnet  for  a  deliberate  DDOS  attack  or  if  an  adversary  is 
developing  a  new  phishing  campaign  targeting  key  leaders.  While  this  type  of  activity  occurs 
almost  daily,  it  is  difficult  to  establish  what  the  normal  noise  level  is  and  to  compare  it  to 
something  extraordinary.  Without  understanding  what  normal  looks  like,  an  operational  planner 
will  struggle  to  gain  an  advantage  in  cyberspace. 

The  JTF’s  role  in  protecting  commercial  network  systems  in  a  host  nation  is  uncertain.  It 
is  well  known  the  United  States  military  relies  on  commercially  provided  network  services  and 
support  activities.  Since  commercial  vendors  provide  network  leases,  the  data  passes  through 
private  American  and  foreign  company  communications  equipment.'"^  While  the  DoD  uses 
robust  encryption  methods  to  mask  the  data,  an  adversary  need  only  cause  physical  destruction 
of  a  few  key  network  intersections  to  degrade  US  operations.  One  could  argue  that  protecting  a 
critical  network  node  is  similar  to  protecting  a  major  utilities  facility  within  the  Joint  Operating 
Area.  One  could  also  argue  that  the  host  country  should  protect  these  key  network  nodes 
themselves.  However,  if  the  host  nation  does  not  have  an  adequate  capability  to  defend  the 
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nodes,  the  question  of  whether  the  JTF  eould  perform  a  type  of  cyber  foreign  internal  defense 
comes  to  the  fore  again. 

At  the  operational  level,  a  JTF  Commander  should  understand  how  his  networks  interact 
with  the  larger  DoD  networks  and  how  the  DoD  connects  to  the  Internet  to  support  a  campaign. 
The  DoD  uses  Internet  Access  Points  (lAP)  as  gateways  between  government  networks  and  the 
Internet.  There  are  relatively  few  lAPs  in  the  DoD,  but  the  volume  of  information  that  travels 
across  them  is  great.  For  the  United  States,  these  cyber  choke  points  have  the  strategic 
equivalence  of  the  straits  of  Gibraltar  or  Malacca.  Should  an  lAP  become  unavailable,  the 
DoD’s  logistics  and  supply  chain  could  become  severely  degraded.  Over  time,  the  DoD  would 
begin  to  lose  combat  effectiveness  if  it  were  not  able  to  openly  communicate  with  vendors  and 
mission  partners. 

Throughout  the  DoD  including  the  JTF  level,  sub-organizations  establish  logical  network 
boundaries  using  a  variety  of  methods.  The  purpose  of  this  defense  in  depth  strategy  is  to  limit 
the  risk  between  organizations.  In  other  words,  a  risk  to  organization  A  does  not  necessarily 
impact  organization  B  even  though  the  two  organization’s  respective  networks  are  connected. 
While  this  approach  is  generally  effective  in  containing  security  risks,  it  does  come  at  a  cost  in 
reduced  information  sharing.  To  share  information  between  organizations,  network 
administrators  must  assign  rules  to  allow  varying  levels  of  information  access  between 
organizations.  The  challenge  grows  as  the  administrators  must  establish  access  rule  sets  between 
multiple  organizations  and  maintain  constant  vigilance  to  ensure  the  rule  sets  are  updated. 

A  similar  process  occurs  between  the  cyber  security  organizations.  Many  DoD 
organizations  have  personnel  dedicated  to  monitoring  security  logs  and  intrusion  attempts.  Each 
security  organization  would  have  to  establish  security  rules  sets  between  themselves  to 
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understand  better  what  is  happening  in  their  adjaeent  organizations.  This  proeess  is  akin  to  a 
rifle  eompany  eommander  understanding  what  his  sister  rifle  eompanies  are  experieneing  while 
they  are  all  in  a  defensive  posture. 

However,  there  is  sueh  a  thing  as  too  mueh  information  in  eyber  defense.  Some  eyber 
defense  planners  believe  that  aeeess  to  all  of  the  seeurity  data  available  will  help  reduee  the  fog 
of  network  seeurity  ineidents.  The  problem  with  this  line  of  thinking  is  the  shear  volume  of 
seeurity  events  oeeurring  at  all  levels  between  the  outer  boundary  at  the  lAPs,  the  JTF  and 
serviee  eomponent  level  ean  quiekly  overwhelm  the  JTF  equipment  and  seeurity  staff.  Another 
approaeh  to  eonsuming  and  analyzing  network  seeurity  alert  data  is  a  division  of  labor  between 
hierarehal  seeurity  organizations.  Far  from  perfeet,  this  alternative  approaeh  presents  a  flaw  of 
eaeh  organization  having  a  myopie  perspeetive  to  seeurity  alerts  and  aetivities. 

Warfighting  Principles  In  the  Cyher  Domain 

Unlike  the  other  warfighting  domains,  eyberspaee  is  man-made  and  has  unique 
eharaeteristies.  An  operational  planner  may  find  it  useful  to  examine  how  the  warfighting 
prineiples  of  mass,  objeetive,  offense,  seeurity,  eeonomy  of  foree,  maneuver,  unity  of  eommand, 
surprise,  speed  (MOOSEMUS)  apply  as  a  framework  in  eoneeptualizing  how  he  and  a  eyber 
defense  planner  would  design  a  eyber  defense  plan  for  a  Joint  Task  Foree.  Careful  eonsideration 
of  the  prineiples  reveals  that  they  do  apply  to  the  eyber  domain.  This  seetion  will  demonstrate 
how  planners  may  apply  the  prineiples. 

Arguably,  mass  is  the  most  diffieult  prineiple  to  apply  to  eyber  defense.  An  organization 
eannot  mass  its  forees  to  meet  a  new  threat.  The  eyber  defense  infrastrueture  and  personnel 
expertise  are  in  plaee  or  they  are  not.  One  possible  way  to  mass  forees  would  be  to  inerease  the 
eolleetive  understanding  of  all  members  of  the  Department  of  Defense  beyond  the  minimal 
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computer  based  awareness  training  currently  in  plaee.'^  The  collective  eyber  training 
requirements  within  the  DoD  are  inadequate  and  directly  contribute  to  the  laek  of  understanding 
personnel  have  of  the  domain’s  characteristics.  As  a  comparison,  the  public  would  think  the 
services  as  negligent  if  the  amount  of  weapons  handling  training  were  diminished  to  the  levels 
eurrently  required  for  annual  information  assurance  training.  If  every  member  of  the  department 
understood  the  safe  handling  of  the  network  eomponents,  the  DoD  could  greatly  diminish  the 
seeurity  risks  to  the  network.'^  These  better-trained  military  members  would  report  for  duty  with 
a  Joint  Task  Force  better  prepared  to  take  an  active  role  in  defending  the  eyber  domain  or  at  a 
minimum  not  aiding  the  adversaries  unknowingly. 

The  next  principle  to  review  is  the  prineiple  of  objeetive.  A  JTF  must  have  elear 
objectives  for  operating  in  the  cyber  domain.  Clearer  objectives  would  assist  an  operational 
planner  in  developing  a  coherent  a  cyber  defense  campaign.  At  present,  the  DoD  uses  many 
directives  in  an  attempt  to  articulate  what  it  desires  for  the  eyber  domain.  The  Marine  Corps’ 
Cyberspace  Concept  of  2009  reeognizes  a  fundamental  gap  and  lack  of  integration  between 
strategic  and  operational  objectives.  The  2011  DoD  Strategy  for  Operating  in  Cyberspace, 
lists  four  broad  seeurity  objectives.  While  a  step  in  the  right  direction,  the  four  objectives  still  do 
not  translate  into  eoherent  operational  objeetives  and  tactical  tasks. 

In  the  absenee  of  clear  objectives,  a  Commander  may  consider  defending  other  key 
network  nodes  within  his  Joint  Operating  Area  along  with  JTF  networks.  Brett  Williams,  the 
former  Pacific  Command  J6,  is  correct  in  his  Joint  Forces  Quarterly  article  when  he  argues  a 
Joint  Force  Commander  must  consider  elements  of  the  cyber  domain  when  evaluating  key 
terrain,  centers  of  gravity  and  critieal  vulnerabilities.  However,  he  goes  astray  in  asserting  that 
a  JTF  Commander  cannot  defend  all  eomponents  of  a  JTF  network;  the  Commander  must.  In  the 
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cyber  domain,  an  adversary  needs  to  be  suecessful  once  to  be  effeetive.  The  DoD’s  defense  in 
depth  strategy  is  an  effort  to  make  intrusions  and  exploitation  more  difficult  for  the  adversaries. 
The  risks  assoeiated  with  limited  defenses  of  cyber  networks  have  the  potential  to  be  more 
significant  than  the  loss  of  an  aireraft  or  vehiele.  A  better  argument  ean  be  made  that  a  JTF 
Commander  apply  more  resources  in  defending  key  cyber  terrain  and  develop  contingency  plans 
should  key  network  node  be  made  unavailable.  A  JTF  Commander  should  have  contingency 
plans  in  place  to  work  through  the  loss.  He  would  do  the  same  for  any  eritical  resource  or  key 
terrain  in  the  other  warfighting  domains. 

While  attempting  to  develop  clear  operational  objectives,  it  is  generally  believed  that  a 
Commander  who  defends  everywhere  defends  nowhere.  This  belief  should  not  be  applied  to  the 
cyber  domain.  A  Commander  must  assume  some  measure  of  risk.  However,  the  risks  associated 
with  a  poor  defense  strategy  in  the  cyber  domain  have  outsized  impacts  compared  to  the  land, 
maritime  and  aviation  domains.  For  example,  a  lightly  defended  area  in  the  land  domain  may 
allow  the  eommander  to  make  a  calculated  risk  that  an  adversary  eannot  exploit  the  area  before 
the  friendly  force  can  respond.  The  speeds  at  which  cyber  gaps  can  be  exploited  are  much  faster 
than  what  operators  are  normally  aecustomed  to. 

All  members  of  a  Joint  Task  Foree,  in  addition  to  cyber  defenders,  must  have  an 
offensive  spirit  in  the  pursuit  of  effective  cyber  defense.  This  is  not  to  be  confused  with  taking  a 
first  strike  at  an  adversary.  First  strikes  as  part  of  an  active  defense  eampaign  could  prove 
useful,  but  the  subjeet  is  beyond  the  scope  and  classifieation  of  this  paper.  Cyber  defenders  can 
take  an  aetive  role  further  by  reviewing  internal  network  activities  to  determine  what  aetivity  is 
legitimate  and  what  activity  is  not.  Cyber  defenders  need  to  view  themselves  as  more  than 
network  administrators.  They  need  to  embrace  their  operational  relevance  to  the  warfighting 
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effort  as  operational  eontributors  and  not  a  supporting  function.  Likewise,  all  personnel  within  a 
JTF  have  an  active  role  to  play  in  defending  the  cyber  domain.  A  JTF  should  have  clear 
guidelines  for  how  individuals  can  take  an  active  role.  For  example,  the  JTF  can  establish  easy 
reporting  procedures  for  suspected  adversary  activity  and  daily  reminders  of  adversary  trends. 

The  next  principle  to  consider  is  the  principle  of  surprise.  As  previously  stated,  the 
attacker  has  the  upper  hand  in  the  cyber  domain.  The  attacker  can  use  surprise  to  his  advantage 
by  carefully  planning  and  shaping  the  conditions  to  launch  an  attack  largely  unnoticed  by  the 
defender.  The  defender  must  remain  ever  vigilant  to  all  adversary  activity.  The  attacker  also  has 
an  advantage  in  that  he  could  use  of  form  of  surprise  by  exploiting  what  is  known  as  a  zero-day 
vulnerability  or  social  engineering  to  launch  an  attack.  The  defender  may  not  be  aware  of  the 
vulnerability  until  it  is  too  late  to  implement  a  remedy.  To  minimize  the  adversary’s  use  of 
surprise,  operational  planners  must  realize  that  software  patches  and  secure  configuration 
settings  are  an  operational  issue  that  are  as  important  as  fuel  or  ammunition  levels  and  must  be 
viewed  as  a  means  to  thwart  an  adversary  attack  vector. 

Much  of  the  dialogue  about  the  cyber  domain  tends  to  focus  on  offensive  cyber 
capabilities.  As  a  result,  cyber  defense  is  relegated  as  an  economy  of  force  effort.  However,  a 
poor  cyber  defense  effort  can  be  a  critical  vulnerability  for  a  Joint  Task  Force  and  should  not  be 
an  economy  of  force  effort.  Cyber  defense  is  arguably  the  most  important  component  a 
Commander  needs  to  understand  to  support  his  overall  campaign  and  should  not  make  it  a  lesser 
activity  by  focusing  solely  on  offensive  cyber  activities.  Increasing  his  understanding  is 
important  because  of  how  much  a  JTF  relies  on  networks  to  operate  in  all  of  the  warfighting 
domains.  The  cyber  defense  effort  cannot  continue  to  be  downgraded  as  something  the 
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A  review  of  the  Marine  Corps  Coneept  for  Operating  in  Cyberspaee  reveals  a  gap 
between  eomputer  network  defense  and  defend  functions  under  the  auspices  of  Network 
Operations.  This  gap  is  more  than  temporal  on  a  diagram.  The  gap  represents  a  significant 
misunderstanding  within  the  operations  community  that  there  is  a  difference  between  computer 
network  defense  and  communication  network  operations.  Until  this  gap  is  closed,  there  will 
remain  limits  to  having  a  holistic  understanding  of  what  an  adversary  is  trying  to  do  to  a  Joint 
Task  Force  during  a  network  attack.  If  for  example  a  critical  fiber  optic  cable  line  is  cut,  cyber 
defenders  should  attempt  to  correlate  whether  the  cut  is  due  to  routine  environmental  conditions 
or  part  of  a  coordinated  cyber  shaping  actions.  The  people  who  conduct  the  defend  tasks  in 
communications  network  operations  are  normally  the  same  individuals  who  do  computer 
network  defense.  Cyber  defense  is  an  operational  issue  that  cannot  continue  to  be  relegated  as  an 
economy  of  force  effort. 

During  the  2008  conflict  between  Georgia  and  Russia,  the  Georgians  used  a  form  of 
maneuver  to  defend  their  cyber  presence.  Unlike  the  Estonians  who  in  2007  decided  to  defend  in 
place  during  a  cyber  attack  they  experienced,  the  Georgians  maneuvered  some  of  their  cyber 
presence  to  the  United  States  via  private  corporations.  This  option  raises  a  couple  of  issues 
future  Joint  Task  Force  Commanders  may  have  to  face  should  another  country  take  similar 
action.  First,  the  Georgians  expanded  the  operating  environment  to  the  continental  United 
States,  which  had  not  been  previously  involved  in  the  cyber  attack.  The  Georgian  action 
complicated  the  operating  environment  further  by  inserting  the  United  States  between  two 
belligerents  before  US  policy  makers  can  determine  if  the  United  States  had  a  vested  interest  in 
intervening.  It  would  be  difficult  to  imagine  the  United  States  or  any  country  not  taking  an 
interest  in  such  actions  after  they  occur.  This  maneuver  is  akin  to  the  Germans,  upon  initiating 
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World  War  I,  marching  through  Belgium  and  the  Allies  not  aiding  Belgium  in  the  proeess  of 
defending  Franee.  The  result  of  a  limited  response  eould  be  similar  to  the  United  States’ 
experienee  in  fighting  the  Vietnam  War  by  limiting  aetivity  in  Laos  during  the  early  stages  of  the 
war. 

A  seeond  aspeet  of  maneuver  a  JTF  Commander  may  have  to  eonsider  is  how  quiekly  he 
ean  ehange  the  network  in  response  to  adversary  aetion.  Mueh  of  the  network  support  a  JTF 
enjoys  is  often  provided  by  eontraet  support.  A  network  eonfiguration  or  applieation  of  a 
seeurity  pateh  ean  have  signifieant  impaet  to  mission  eapabilities,  take  time  and  inerease 
finaneial  eosts.  For  example,  a  vulnerability  remedy  ean  inadvertently  render  an  applieation 
feature  useless.  A  eyber  defender  must  be  able  to  explain  quiekly  and  elearly  the  teehnieal 
impaet  of  a  network  ehange  to  help  determine  the  operational  impact  of  the  ehange. 

A  third  issue  ereated  by  maneuvering  in  eyberspaee  that  may  vex  a  JTF  Commander  is 
the  issue  of  aid  and  eomfort  provided  by  a  third  party.  Like  many  support  aetivities,  it  is  diffieult 
to  parse  aeeurately  and  eonsistently  whieh  dual  use  materials  and  funetions  offer  strietly 
humanitarian  support  and  direetly  support  war  aims.  In  the  example  of  the  Georgians  moving 
their  eyber  presenee  to  private  eorporations  within  the  United  States,  the  purpose  of  the  eyber 
presenee  would  determine  if  the  private  eompanies  provide  material  war  aid  or  humanitarian  aid. 
There  is  a  differenee  if  a  Twitter  aeeount  or  blog  site  hosted  in  the  United  States  is  direeting  the 
humanitarian  relief  effort  or  being  used  as  a  method  of  national  eommand  and  eontrol  funetions. 
The  differenee  between  the  two  puts  a  third  party’s  host  government  in  an  awkward  position. 

A  Joint  Task  Foree  Commander  may  have  trouble  establishing  a  unity  of  eommand 
within  the  eyber  domain,  whieh  is  arguably  the  most  important  warfighting  funetion.  Simply, 
the  answer  to  the  question  of  who  is  in  eharge  is  not  always  apparent.  There  are  multiple 


Alanis  17 


organizations  with  a  stake  in  the  eyber  domain.  US  Strategie  Command  has  responsibility  for 
the  eyberspaee  mission  area  that  is  subsequently  exeeuted  by  US  Cyber  Command.  US  Cyber 
Command  was  established  as  a  sub-unified  eommand  to  focus  on  the  cyber  domain.  Each  of  the 
military  services  has  a  cyber  component  command  in  support  of  US  Cyber  Command.  The 
Defense  Information  Systems  Agency  is  responsible  for  defending  a  significant  portion  of  the 
department’s  computer  networks  since  they  provide  the  bulk  of  the  military’s  access  to  the 
Internet.  Geographic  combatant  commanders  may  all  believe  they  are  responsible  for  the  cyber 
domain  within  their  respective  areas  of  responsibility.  A  Joint  Task  Force  Commander  also 
believes  he  is  responsible  for  the  cyber  domain  within  his  Joint  Operating  Area.  The  problem  is 
they  are  all  correct.  The  solution  to  answering  the  question  of  who  is  in  charge  may  reside  in 
establishing  a  standing  Functional  Cyber  Component  Command  within  each  of  the  geographic 
combatant  commands. 

Related  to  unity  of  command,  the  speed  of  events  within  the  cyber  domain  is  faster  than 
most  people  can  comprehend.  Therefore,  traditional  command  and  control  relationship  models 
of  transitioning  changes  of  operational  control  of  “cyber  forces”  when  they  are  needed  do  not 
apply.  A  Combatant  Commander  would  be  well  served  in  establishing  a  standing  Functional 
Cyber  Component  Command.  A  standing  Functional  Cyber  Component  Command  would  allow 
the  combatant  command  to  better  support  any  Joint  Task  Force  Commander  during  contingency 
operations  by  resolving  command  and  control  relationships  before  a  crisis  occurs.  Part  of  the 
command  and  control  confusion  resides  with  the  issue  of  each  military  service  component 
having  integrated  cyber  support  organizations  within  the  service  components.  This  type  of 
problem  has  been  addressed  before  within  the  DoD.  There  is  a  similar  challenge  in  how  the  joint 
force  employs  aviation  assets.  It  took  the  DoD  many  years  to  develop  current  doctrine  for 
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supporting  the  Joint  Force  Aviation  Component  Commander  (JFACC).  Others,  such  as  Williams 
suggest  a  Special  Operating  Forces  model  would  be  a  better  solution  for  the  lack  of  a  sound 
command  and  control  structure  in  the  cyber  domain.  A  final  command  and  control  construct 
would  likely  have  elements  of  how  the  JFACC  and  the  Theater  Special  Operation  Commander 
command  and  control  forces  to  support  a  Geographic  Combatant  Commander  today. 

In  a  time  of  constrained  fiscal  resources,  it  is  unlikely  that  the  military  services  would  be 
willing  to  defer  command  and  control  responsibilities  for  the  cyber  domain  to  another  military 
service.  Each  service  component  commander  believes  that  he  is  responsible  for  his  portion  of 
the  cyber  domain  and  needs  the  flexibility  to  operate  within  it  to  support  his  objectives.  Perhaps 
an  update  to  the  Goldwaters-Nichols  Act  is  needed  to  facilitate  changes  within  the  military 
departments  to  ensure  effective  command  and  control  structures  are  developed  for  the  cyber 
domain. 

The  final  principle  to  consider  is  security.  Establishing  the  proper  security  levels  within  a 
Joint  Task  Eorce  network  can  be  problematic.  There  exists  a  tension  between  network  security 
administrators  and  operations  personnel  in  attempting  to  balance  the  operational  needs  of  the 
organization  with  minimal  risk  to  security.  A  JTE  Commander  has  to  balance  the  requirement 
for  keeping  security  levels  adequate  to  allow  network  functionality.  The  security-balancing  act 
directly  affects  the  simplicity  of  security  measures  for  individuals  to  employ.  Security  measures 
must  be  simple  enough  to  be  employed  during  daily  use  of  the  network  and  countermeasures 
easily  implemented  if  security  is  breached.  A  Commander  will  have  to  establish  security 
protocols  that  do  not  make  using  the  network  too  difficult  for  the  average  user.  If  the  security 
protocols  are  too  cumbersome,  people  within  the  organization  will  likely  try  to  bypass  security 
measures  creating  a  bigger  problem  than  the  one  the  JEC  is  trying  to  solve. 
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The  Campaign  Plan 

Considering  all  of  the  inherent  challenges  and  characteristics  of  the  cyber  domain, 
planners  can  apply  the  tenants  of  operational  art  to  develop  a  cyber  defense  plan  as  part  of  an 
integrated  theater  campaign  plan.  Joint  force  planners  need  to  understand  where  the  force’s 
cyber  defense  posture  is  starting  from  and  what  the  end-state  is  to  be.  Planners  must  have  a 
strong  foundation  of  the  characteristics  of  the  cyber  domain. 

It  is  debatable  if  action  within  the  cyber  domain  can  be  decisive  or  the  main  effort  of  the 
entire  campaign.  Williams  rightly  argues  that  cyber  defense  at  the  operational  level  can  be  the 
main  cyber  effort.  Actions  in  the  cyber  domain  can  be  the  main  effort  during  early  phases  of  a 
campaign.  Shaping  actions  in  the  cyber  domain  can  prepare  a  JTF  for  future  actions  in  the 
domain.  If  the  Commander  designates  cyber  defensive  efforts  as  the  main  effort  in  an  early 
phase  of  an  operation,  he  can  set  the  conditions  to  protect  his  networks  so  their  future  use  in 
subsequent  phases  can  properly  support  his  campaign. 

A  JTF  cannot  operate  in  a  single  domain  to  achieve  its  objectives.  As  noted  author  Colin 
S.  Gray  points  out,  the  state  does  not  wage  war  in  a  single  domain.  A  domain  must  be 
integrated  with  all  of  the  warfighting  domains.  Dominance  in  a  single  domain  only  contributes 
to  the  overall  outcome  of  a  campaign.  Such  is  the  case  for  the  cyber  domain.  Planners  must 
design  a  cyber  defense  plan  that  supports  the  objectives  in  the  other  warfighting  domains. 

Operational  planners  must  have  an  appreciation  a  Joint  Task  Force’s  network  security 
posture  to  develop  a  campaign  plan.  It  would  be  ideal  if  each  service  component  had  an  accurate 
assessment  of  how  vulnerable  they  were  to  network  attack  immediately  upon  the  release  of  new 
network  threat.  The  nature  of  networks  and  software  is  such  that  it  is  extremely  difficult  to 
understand  an  organization’s  risk  because  of  the  prevalence  of  hardware  and  software  coding 
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errors.  For  example,  eaeh  organization  has  to  know  preeisely  the  type,  model,  and  series  of  all 
operating  systems,  hardware  and  software  applieations  they  have  running  within  their  networks. 
Any  number  of  the  above  listed  areas  ean  have  both  identified  and  unidentified  security  risks 
because  of  faulty  programming.  When  vulnerabilities  are  uncovered,  it  is  common  for  remedies 
to  not  be  available  in  a  timely  fashion.  The  absence  of  understanding  how  vulnerable  an 
organization  is  makes  developing  a  coherent  campaign  plan  complicated.  The  Defense 
Information  Systems  Agency  (DISA)  is  working  to  make  secure  configuration  management  and 
continuous  monitoring  easier  for  the  cyber  defender.  The  JTF  must  be  able  to  integrate  the 
available  information  to  clear  the  operational  picture  for  the  Commander. 

While  developing  a  cyber  defense  campaign  plan,  planners  must  understand  the 
capabilities  of  interagency  partners  in  addition  to  all  service  components.  Current  law  prohibits 
the  Department  of  Defense  from  defending  commercial  entities  in  the  cyber  domain.  A 
significant  concern  is  that  the  defender  normally  has  access  to  the  data  systems  it  is  responsible 
for  defending.  The  defender  will  normally  have  to  review  transaction  logs  to  determine  which 
connections  may  be  the  source  of  adversary  activity.  Further  complicating  matters,  the 
Department  of  Defense  is  not  mandated  to  provide  cyber  defense  to  other  sectors  of  the  US 
government.  The  DoD  is  working  with  the  Department  of  Homeland  Security  (DHS)  to  develop 
best  practices  for  defending  other  elements  of  the  US  government  networks.  The  outcomes  of 
these  best  practices  should  benefit  the  JTF  Commander  in  the  future.  Ideally,  the  two 
departments  can  develop  an  information-sharing  process  that  would  give  the  United  States  better 
situational  awareness  of  what  adversaries  are  attempting  to  do  to  government  networks.  The 
work  between  the  DoD  and  DHS  will  help  clarify  what  each  organization  is  responsible  for.  If 
other  elements  of  the  US  government  are  responsible  for  defending  non-DOD  networks. 
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information  sharing  amongst  the  interagency  cyber  defense  organization  can  help  lift  the  fog  of 
what  is  occurring  within  the  cyber  domain  for  the  JTF  Commander.  Coordination  similar  to  the 
interagency  information  sharing  process  is  important  so  a  JTF  can  design  and  execute  a  cyber 
defense  plan. 

The  department’s  reliance  on  social  media  further  complicates  the  cyber  defender’s  job. 
Use  of  social  media  to  communicate  the  Department  of  Defense’s  public  message  increases  its 
risk.  While  key  billet  holders  within  a  Joint  Task  Force  have  a  need  to  access  social  media  sites, 
most  service  members  within  a  JTF  do  not  need  continuous  access  to  social  media  to  perform 
their  duties.  Access  to  social  media  contributes  to  the  defense  workload.  The  more  traffic 
traversing  the  Internet  Access  Points,  the  more  data  that  has  to  be  monitored  and  evaluated  for 
malware  and  adversary  activity.  A  Commander  may  consider  limiting  the  JTF’s  general  access  to 
social  media,  which  is  counter  to  prevailing  directives.  If  the  Commander  reduces  non-mission 
critical  network  traffic,  the  cyber  defenders  can  improve  the  quality  of  the  defense  effort  by 
dedicating  resources  that  would  have  been  used  to  inspect  frivolous  network  traffic  to  improve 
the  quality  of  defense  of  mission  essential  network  traffic.  Critics  may  counter  that  access  to 
social  media  sites  is  needed  to  help  tell  the  military  story  and  keep  morale  high.  This  argument 
is  a  compelling  reason  to  allow  all  JTF  members  to  have  access  to  social  media,  but  the 
counterpoint  is  that  access  to  social  media  sites  need  not  be  available  at  undue  government  risk. 
Planners  should  design  a  separate  morale  network  solely  for  the  purposes  of  accessing  non¬ 
mission  critical  sites  for  the  general  JTF  population.  This  network  should  be  directly  connected 
to  the  Internet  predominately  for  recreational  purposes. 

Many  operational  planners  struggle  to  embrace  the  concept  of  data  integrity.  Many 
planners  believe  that  network  intrusions  predominately  consist  of  exfiltration  data.  While  that 
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belief  may  be  mostly  true,  it  is  not  the  most  significant  type  of  intrusion.  The  author’s  experience 
during  exercises  was  most  operational  planners  believed  adversary  knowledge  of  friendly 
information  was  irrelevant  because  the  adversary  could  not  affect  the  outcome  of  the  plan. 

The  value  of  data  is  rooted  in  its  accuracy.  When  considering  data  integrity,  a  touch  of 
paranoia  is  healthy.  As  there  are  levels  of  sophistication  in  burglary,  there  is  equal  sophistication 
in  adversary  capability.  How  does  one  know  if  their  house  was  broken  into  while  they  were 
away  and  something  valuable  was  taken  or  altered  if  the  burglar  left  little  evidence?  Likewise, 
how  is  one  to  know  if  an  adversary  is  copying,  reading  and  modifying  the  files  on  JTF  computers 
or  planting  disinformation?  These  questions  must  be  resolved  prior  to  an  operation. 

Should  a  security  breach  be  discovered,  operational  planners  must  understand  the 
characteristics  of  the  breach  and  cyber  defenders  must  be  able  to  clearly  articulate  how  the 
breach  could  affect  an  operation.  Thinking  the  enemy  knows  a  Joint  Task  Force’s  plan,  but 
cannot  do  anything  about  it  is  not  always  the  appropriate  assessment.  Sometimes  the  severity  of 
the  security  breach  can  be  comparable  to  a  situation  where  the  enemy  modified  the 
characteristics  of  the  JTF’s  artillery  shell/fuse  combinations  or  contaminated  fuel  sources. 
Operational  planners  must  ensure  the  cyber  defense  force  has  the  necessary  resources  to  protect 
data  integrity  and  the  underpinning  concepts  to  support  the  operational  plan.  There  are  security¬ 
monitoring  tools  to  lighten  the  burden  on  cyber  defense  organizations.  Cyber  defender  must 
constantly  tune  and  adjust  these  tools  to  make  them  effective  just  as  any  other  operator  would 
refine  and  tune  his  weapons  systems. 

Similar  to  the  other  domains,  cyber  defense  planners  are  well  served  by  thinking  of  the 
enemy  first.  The  cyber  domain’s  characteristics  enable  multiple  adversaries  to  attack  a  Joint  Task 
Force  while  it  is  attempting  to  conduct  operations  in  the  physical  domains.  The  most  significant 
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challenge  for  a  defender  is  determining  attribution  for  a  breach  in  his  network.  An  attacker  can 
mask  his  activity  using  a  variety  of  methods.  Unlike  a  missile  strike  where  a  defender  ean  study 
a  missile’s  trajeetory  to  understand  who  just  attacked,  a  cyber  defender  cannot  always  do  the 
same.  Often,  “cyber  patriots”  or  sympathizers  rally  to  an  adversary’s  eause.  Opportunists  may 
try  to  learn  how  a  Joint  Task  Force  would  operate  in  the  eyber  domain  in  preparation  of  future 
eonfliets.  In  some  respeets,  a  Joint  Task  Foree  is  surrounded  in  the  eyber  domain.  Planners  must 
prioritize  whieh  cyber  adversaries  they  will  foeus  the  defensive  effort  on.  Admittedly,  this 
obstaele  is  extremely  diffieult  to  overeome  given  the  resourees  a  JTF  normally  has  available.  A 
Commander  may  have  to  aeeept  early  in  an  operation  that  he  may  never  know  who  is  aeeessing 
his  networks. 

Establishing  a  standing  Functional  Cyber  Component  Command  in  eaeh  of  the 
geographie  eombatant  eommands  will  enable  operational  planners  to  develop  strategies  to 
prepare  for  future  operations.  A  standing  eommand,  properly  resourced,  would  have  the  ability 
to  develop  and  exereise  standing  operating  proeedures  to  eounter  adversary  activity  before  a 
erisis.  A  standing  Functional  Cyber  Component  Command  ean  reduee  some  of  the 
disadvantages  a  JTF  Commander  faees  by  having  clear  eommand  and  eontrol  relationships 
established  and  presenting  a  elearer  cyber  defense  pieture.  The  proposed  eommand  would  also 
provide  a  JTF  Commander  an  estimate  of  how  the  JTF  eould  operate  in  a  degraded  cyber 
environment. 

A  Joint  Task  Foree  Commander,  as  the  supported  eommander,  would  need  to  reeoneile 
how  severe  of  a  deliberate  cyber  attaek  his  JTF  ean  withstand  and  remain  eombat  effeetive  based 
on  the  cyber  eomponent  command’s  framework.  This  effort  is  no  trivial  task.  Most  serviee 
members  take  eommand  and  eontrol  systems  for  granted.  Commands  make  little  effort  to  learn 
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how  long  a  joint  force  can  be  effeetive  in  a  severely  degraded  eyber  environment.  A 
Commander  must  establish  redbnes  for  the  loss  of  eertain  eommand  and  eontrol  systems  just  as 
he  would  with  the  loss  of  a  earrier  or  an  aireraft  wing  and  develop  eontingeney  plans. 

Onee  an  adversary  employs  a  tool  to  aeeess  a  JTF  network,  the  tool  is  of  little  value  as 
soon  as  the  vulnerability  that  the  adversary  exploited  is  discovered.  In  essenee,  the  attack  has 
reached  its  eulminating  point.  Williams  eounters  that  an  attaek  does  not  reaeh  a  eulminating 
point  in  the  cyber  domain.  However,  the  effects  an  attacker  is  trying  to  achieve  will  quiekly 
diminish  onee  the  exploit  is  unleashed,  the  effort  diseovered  and  the  defender  takes  remedial 
action.  In  other  words,  the  defender  can  quickly  develop  a  plan  to  eounter  the  effort  onee  the 
trap  has  been  sprung.  After  a  zero-day  exploit  has  a  pateh,  it  no  longer  presents  a  viable  threat. 
In  a  way,  the  adversary  reached  a  eulminating  point  in  his  eyber  attaek  with  a  speeifie  tool.  The 
JTF  will  need  to  aet  quiekly  to  help  faeilitate  the  adversary’s  eulminating  point.  Similar  to  being 
eaught  in  an  ambush  and  executing  a  counter-ambush  battle  drill,  a  JTF  must  have  a  clear  battle 
drill  to  develop  solutions  to  network  intrusions. 

Conclusions:  A  Joint  Task  Foree  Commander  ean  use  similar  planning  tools  and 
methods  to  defend  the  eyber  domain  as  he  would  in  any  of  the  warfighting  domains  allowing  for 
some  of  the  unique  eharaeteristies  of  the  domain.  However,  there  needs  to  be  a  greater 
understanding  within  the  operations  eommunity  of  the  domain’s  eharaeteristies  to  improve  the 
eombat  effeetiveness  of  a  JTF.  The  eyber  defense  eommunity  also  bears  responsibility  to 
understand  its  role  as  warfighting  operators  and  not  simply  support  teehnicians.  While  eyber 
defenders’  contributions  to  the  eampaign  may  not  garner  headlines,  the  work  these  quiet 
professionals  perform  ean  have  a  profound  impaet  to  a  JTF’s  success.  Both  the  operational  and 
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cyber  defense  communities  have  made  signifieant  strides  to  understand  each  other  to  better 
support  their  commands. 

The  Department  of  Defense  will  need  change  how  it  to  organizes,  trains  and  equips  the 
military  departments  to  support  a  theater  campaign  by  providing  the  Commander  the  tools  he 
needs  to  prevent  the  cyber  domain  from  beeoming  a  critical  vulnerability.  If  the  DoD  cannot 
develop  an  adequate  command  and  control  model  to  support  a  JTF  Commander  earlier  in  an 
operation,  it  is  likely  that  new  legislation  sueh  as  an  update  to  Goldwater-Nichols  is  needed.  The 
DoD  must  also  improve  how  it  trains  the  joint  force  so  that  its  members  can  be  prepared  to  play 
an  active  role  in  defending  a  critical  resource. 
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